Information Security, SHA1, TLS, Windows

Challenges for 2015

I think that for the rest of this year and early next year we are going to see quite a few challenges that will cause shifts in our platforms and user computing base.  Some of these, such as the end of support for Windows XP and Server 2003, we have seen coming for quite a while and knew we had a deadline.  Others were more  along the lines of ‘yeah, thats bad and we will fix it some day’.  Over the last two years these slow burning ‘some day’ issues have been fully ignited due to the Snowden releases and several SSL/TLS vulnerabilities turning the theoretical risk into practical and operational problems.

I don’t plan on going into too much detail here but what I want to do is to provide a list of  some challenges that I think many of us will be facing over the next 12 months or so.

Continue reading

Information Security, Nmap, SHA-1, SHA1, TLS

Using Nmap to find x509 (SSL/TLS) certificates that have SHA-1 and MD5 based signatures

A couple of months ago there was quite a bit of press about Google and Mozilla becoming more aggressive about how they handle x509 (SSL/TLS) certificates that have SHA-1 based signatures. The background for this is linked in the references section at the end of this post. In short, the SHA-1 cryptographic hash algorithm is considered too weak to be safely used as part of the public web PKI.

The impact for site operators and network security teams is that over the next two years browser users will begin to see warnings that indicate that a site is secure but with errors when it uses a SHA-1 certificate that expires after January 1, 2016.  Sites will be flagged as insecure if the SHA-1 certificate expires after January 1, 2017. This is something that requires action now as certificates are generally bought or generated with at least a one year life but in many cases organizations are using 2, 3, or 5 year certificates.

Continue reading